The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of its input arguments. In particular, negative coordinates or large coordinates may cause unexpected behavior.

=============================================================================
FreeBSD-SA-04:15.syscons Security Advisory
The FreeBSD Project
Topic: Boundary checking errors in syscons
Category: core
Module: sys_dev_syscons
Announced: 2004-10-04
Credits: Christer Oberg
Affects: FreeBSD 5.x releases
Corrected: 2004-09-30 17:49:15 UTC (RELENG_5, 5.3-BETA6)
2004-10-04 17:04:25 UTC (RELENG_5_2, 5.2.1-RELEASE-p11)
CVE Name: CAN-2004-0919
FreeBSD only: YES
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
http://www.freebsd.org/security/>.
I. Background
syscons(4) is the default console driver for FreeBSD. Using the
physical keyboard and screen, it provides multiple virtual terminals
which appear as if they were separate terminals. One virtual terminal
is considered current and exclusively occupies the screen and the
keyboard; the other virtual terminals are placed in the background.
II. Problem Description
The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of
its input arguments. In particular, negative coordinates or large
coordinates may cause unexpected behavior.
III. Impact
It may be possible to cause the CONS_SCRSHOT ioctl to return portions of
kernel memory. Such memory might contain sensitive information, such as
portions of the file cache or terminal buffers. This information might
be directly useful, or it might be leveraged to obtain elevated
privileges in some way. For example, a terminal buffer might include a
user-entered password.
IV. Workaround
There is no known workaround. However, this bug is only exploitable
by users who have access to the physical console or can otherwise open
a /dev/ttyv* device node.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to the RELENG_5_2 security branch
dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 5.2
systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
-------------------------------------------------------------------------
RELENG_5_2
src/UPDATING 1.282.2.19
src/sys/conf/newvers.sh 1.56.2.18
src/sys/dev/syscons/syscons.c 1.409.2.1
-------------------------------------------------------------------------
VII. References
http://cvsweb.freebsd.org/src/sys/dev/syscons/syscons.c.diff?r1=1.428&r2=1.429>